Bill Robins says we still have time to
mobilise against a massive cyber-attack

In Information Warfare, the deal is not the technology but the management:
the way you manage your way through the attacks. If you get excited about
this in a nerd-like way, you have probably lost the plot. Information Warfare
is important; much too important to be left to the military.

Modern war

From the point of view of the military, the definition of Information Warfare
is to make the best use of information for your own purposes, while denying
that to the opposition. The opposition is, of course nowadays very dispersed.
In a place like Kosovo, it may be separate bunches of people who do not do
each other any good. It all becomes very complex, and one tends to get a very
mixed degree of trust between various parties.

This is rather like the business environment. Information Warfare has become
so important because, whereas five years ago, IT was little more than a filing-cabinet,
now it is the fuel of a nation's GDP. The trend is coherence, the integration
of information from all sources, and this means connectivity to the home.

Asymmetric warfare

And the more integrated we are, the more vulnerable we become. This can be
used in two ways. The first is for a rich nation to use the technology to
thwart a much larger nation. The second is the way the infrastructure of a
country can be exploited by a much smaller power. The USA's Department of
Defence calls this asymmetric warfare.

On 16 March 99, the Financial Times reported that China was building an
offensive IW capability targeted on the USA. Last November, the Computer Bulletin
reported that there were 250,000 attacks on American Department of Defence
installations in 1995. The writer, Brian Gladman, concludes that there are
no defences that are both complete and affordable. We are balancing degrees
of risk. I see no immediate danger of an electronic Pearl Harbor or a melt-down
of the UK's information infrastructure.

Things are getting worse

We have, I believe, a window of opportunity to get this nation prepared for
a serious attack before it happens, before sophisticated individuals join
forces with powerful institutions with a political motive to do something
really harmful.

I believe that the situation is getting worse for a number of reasons:

o In the 1980s an intruder had to have considerable technical knowledge.

o Systems were rarely connected.

Now people describe the details of viruses on the Net. Trapdoors and backdoors
are published, with pull-down menus. A lot more people can do a lot of harm.
A lot of them do get caught, but it is happening now in a much more sustained
way.

The danger of outsourcing

The other point is outsourcing. It is popular and could become more so. The
danger is not outsourcing itself, but sub-outsourcing of parts of the system.
We find that we have lost sight of people who manage key parts of our systems.
The third point is: how do you know when you are under attack?

In 1994, the Department of Defence IS Agency in Arlington Virginia launched
some 12,000 attacks on DoD installations. More than 98 per cent, I am told,
were successful. Of those, 90 per cent were not detected, and the organisations
concerned had to be shown that they had been successfully attacked. Intruder
protection systems are now much better than they were, but this does still
give concern.

The international dimension

Then there is the international dimension. Any clever hacker makes sure that
he builds an international pathway through some nations that do not have the
same attitude to hackers as we might. This makes life difficult for the security
people.

A collection of insecure parts

My final point is directed to the software industry. The drive to functionality
has driven systems from tightly drawn protected systems into rich but vulnerable
systems. You have seen criticisms in the press of vulnerable widely-used operating
and application systems. This will continue. We, as an industry, have got
to get our act together. Otherwise, tomorrow's integrated system will be a
heterogeneous collection of insecure parts.

Threat and response

Turning to the national information infrastructure, the risk overall is a
function of threat and response. The first part is security: will the data
be protected from being read? Then comes integrity: will the systems let us
down? Will they be available when we need them? Then there is authentication:
can I be sure of the identity of who has told me something over the Net? Lastly
"non-repudiation". If I have done a deal over the Net, can I be sure that
it will be fulfilled?

The sixth rule of System Security is the "insider threat". Our worst danger
is ourselves and our own people. To handle all these threats, I recommend
the BS 7799 standard, which has been adopted by the Dutch and the Australians
as their standard too. There is a vast amount of USA experience on the subject,
and the "US National Plan for Information Systems Protection", published in
January on the White House website, is an impressive document.

A single responsible body

The departments of Government, which are combating these threats must accept
there must be a single responsible body. On 20 December last year, a National
Infrastructure Co-ordination cell was set up, to run the UNIRAS, the Unified
Incident and Reporting System, which is the central body, which takes reports
of intrusions, collates them and creates central policies to improve things
in the future.

DK Matai lists some of the major attacks over the last few years

In 1999, the value of the Internet economy was already $300 billion, larger
than either the energy and telecom sectors. This year it should, at $500 billion,
have overtaken the automotive sector which took 75 years to get to its present
value.

Defining eRisk

We define eRisk as "problems that occur in business or government from system
overload or electronic attack from viruses or hackers". Those at risk are
business and financial companies, utilities and national security agencies.

There are four broad types of electronic attack: denial of service, piracy,
surrogacy and hazards.

o By denial of service, I mean making a computer system or website
unable to service its customers.

o Piracy is to do with intellectual capital stored behind that website
or server, being stolen by foreign governments or malevolent characters around
the world.

o Surrogacy is pretending to be a well-established brand name, to
make purchases over the Internet.

o Hazards take place when a hacker or terrorist gets hold of details
of personnel working in sensitive parts of the world for the purpose of blackmail,
by threatening to publish the address of such persons on the Internet.

Taking counter-measures

To counter these attacks an e-business must consider four elements of e-risk
before going online. The first is legal: in many countries there is little
legal framework for financial institutions or other e-traders to work under.
Nor is the consumer protected, when buying something outside his country's
jurisdiction. We are still in an embryonic phase.

There are human resource problems. When we see attacks on finance institutions,
where we have clients, we find that the in-house staff have been suborned.
There is collusion between outsiders and insiders. There has to be legislation
to halt this kind of activity.

Finally, there is the question of insurance. Lloyds of London is leading
the world in electronic risks insurance. More needs to be done to create legislation
to stop firms going online without appropriate insurance. At the moment, there
is no government consideration about the needs for insurance.

Who are the hackers?

There are about 10,000 serious hackers in the world today. They are able
to camouflage their trails, move money from one bank to another. About 60-70
per cent are disgruntled employees. Others do it for financial gain. Some
do it for the challenge and as an intellectual game. In the last 12 months,
there have appeared some with political motivation. In a survey of 2,700 security
professionals, the number of attacks made by hackers and terrorists was estimated
to have risen from 14 per cent in 1998 to 49 per cent.

Attacks by foreign governments have also risen sharply, largely because
of the Kosovo war. NATO and DoD systems were attacked, and some DoD systems
were disabled for over 36 hours. After the bombing of the Chinese Embassy,
over 140 American companies were attacked and their websites defaced with
anti-American graffiti. The White House site itself was defaced by Hong Kong
activists.

We also have to fear those who go into the websites of stockbrokers and
change the prices in a very subtle way. In 1999, the "Hackers Unite" group
accessed Microsoft Hotmail, using only nine lines of HTML code, bypassed security,
and gained access to all the e-mail accounts. They hacked into information
posted on the Web and caused the Market Cap to fall $15.3 billion .

In 1999, an American student "MagicFX", aged 22, hacked into eBay, the Electronic
Auction site, valued on 8th March at $21.3 Billion. He took "root access"
to the computers, which allowed him to change the prices, place false statements
and images on the site, divert traffic to other sites and crash the whole
eBay network. As a result, 60 per cent of its share price was wiped out in
12 weeks.

In November 1999, the Halifax suspended its Internet share-dealing service
after customers were able to access other people's accounts, because of faulty
system design.

President Clinton acts

So, the dangers in Internet trading are very real. So much so that in January
1999, President Clinton allocated $1.46 billion to improve US Government computer
security against cyber-terrorism. He increased this money by $600 million
and in January 2000 asked for $2 billion more expenditure to form an Institute
to tighten eSecurity , and to provide scholarships in computer security.

Simon Davies blames the American Government for privacy and encryption policies

My task is to appear as a privacy advocate, a term of abuse in the commercial
world. However the individual and the business both want to keep their information
secure. Our intention at the moment is to persuade the US Government to create
a privacy law. Once the USA takes the lead, the whole security culture will
change.

Wanted: a good encryption law

For the past five years, we and other cyber-rights and liberty organisations
have tried to persuade the UK Parliament to adopt responsible encryption law.
At the 'Scrambling for Safety' conferences from 1997 onwards, we were at loggerheads
with the DTI, with Downing Street, with the Home Office, GCHQ. If we have
a threat now, it is because the US Government has been responsible for destabilising
the development of secure encryption and a wholesome security culture. The
UK Government has followed suit.

There is no risk-analysis

I was brought out last month to Washington DC by the Rand Corporation to
advise the Army on whether it should establish new identification systems
and access control systems for computers and battle environments. At a meeting
with most of the Government agencies I asked whether anyone could provide
me with a threat analysis as a basis for the discussion. No one had an answer,
and it turned out that all the tens of million dollars asked for was at the
request of a West Virginian Senator, as an employment generator in his State.
We asked for the definition of unauthorised attacks behind these figures of
250,000 attacks, and got no answer.

Corporates know what it means to secure their systems, but I believe that
at the national infrastructure level, the problem is obscured by rhetoric,
a luridly painted bucket into which we throw everything. It is like national
security. There seems to be no interest in public debate. I think we need
that. Perhaps we should revisit the idea of what we mean by a national encryption
policy. Encryption is the future battleground of privacy and of security.
If we don't get it right in the next year, we will be in trouble, because
UK Government legislation is actively discouraging trust.

The RIP Bill does not help

When I look at the RIP Bill, I see that the police can demand your key. If
you cannot provide your key, you can be imprisoned for up to two years. If
you tell your lawyer or anyone else, you can be imprisoned for up to five
years. It is an extraordinary breach of what we have gone through to develop
trust in information systems. And I would urge PITCOM members to see if there
is any way to reverse this trend.

comments and questions

John McWilliam MP, Chairman PITCOM : You make out that
the NSA and GCHQ do not trust anyone. Surely they only act when there is suspicion
of criminal or terrorist intent?

Simon Davies : They are playing two hands in the card
game. It is generally accepted that the NSA, and presumably GCHQ as well,
have been intercepting commercial communications. It is not just about crime:
it is about economic intelligence gathering. Congress will be debating this
in March.

Margaret Ross, BCS Southampton : Is it time to look
again at the Computer Misuse Act and the Data Protection Act?

Bill Robins : Older legislation should be looked at
to counter these new threats. A general point I would like to make is that
the longest encryption key is useless if it comes in a faulty envelope. An
integrated security system will deter the casual hackers who give most of
the trouble at the moment.

DK Matai : Twenty five per cent of the attacks come
from Eastern Europe, and it is therefore important to internationalise the
Computer Misuse Act.

Adrian Norman, Consultant : It is time to collaborate,
not just to get one's own system right. Otherwise, we will be like a safe
driver on a road on which most others cannot drive, or drive according to
different rules.

DK Matai : The financial community seems reluctant to
co-operate with each other in the City of London on these matters, let alone
between two countries. The community is not yet mature enough to produce standards.

Bill Robins : Indeed, if I am travelling in France and
buy a German product from an American store on the Net, where does the responsibility
lie if the transaction goes wrong?

Simon Moores, Chairman Research group, mi2g : Should
we not go for a national government network, or at least a back-up system,
using different security protocols?

Simon Davies : You have to look at the failure of the
NHSNet, to see what happened to this grand vision of a health infrastructure.
I wouldn't trust the Government with such a system. Simon Coombs, ex-treasurer
of PITCOM: How many hackers get caught?

DK Matai : Some years ago, a Russian hacked into the
CitiBank in America, and was caught. Ninety per cent of attacks are not reported
by financial institutions for fear of adverse publicity.

Bill Robins : One wonders whether mandatory reporting
of attacks is a good idea. I suspect it may give more trouble than it is worth.
However, a central record of those who have suffered such attacks would be
a good thing. We do need a National Security Cell, covering the utilities
as well as government. At the moment, discussion on a National Security Infrastructure
flops about a bit.

David Firnberg : Who is going to kick the backside of
the ostrich? I ask this because there seems to be a lot of ostriches here
today, with their heads in the sand. Who is going to be the prime mover to
solve these problems: the NCC, EURIM, or the Government?

DK Matai : The Government and other governments around
the world.

Bill Robins : The Cabinet Office has been leading policy
in this area and the Home Office will become the managing Department. What
is now needed is close co-operation between Government and Industry. This
is still not happening as much as it should. There will be new skills arising
in the security area: computer crime investigation for example. There must
be better supervision by IS managers. Those are the people who we will have
to rely on.

Good personnel management is essential. There must also be increased awareness
of information warfare in related professions: the legal profession and others.
This could all be part of Alex Allan's e-commerce initiative. Without security,
e-commerce is not going to get off the ground. Nobody is going to trust it.